CVE-2026-12948 in PortServer TS
Summary
by MITRE • 07/07/2026
A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the browser of a user who views the affected pages (CWE-79).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/07/2026
This vulnerability represents a critical stored cross-site scripting flaw that affects multiple Digi networking devices including the PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA models. The security weakness resides within the web management interface of these industrial networking appliances, where authenticated administrative users can inject malicious scripts into specific system configuration fields. When legitimate users subsequently view the affected pages through their web browsers, the injected scripts execute in their browser context, creating a persistent cross-site scripting attack vector that can compromise user sessions and potentially escalate to full system compromise.
The technical implementation of this vulnerability maps directly to CWE-79 which defines cross-site scripting as a code injection attack that occurs when user-controllable data is embedded into web pages without proper sanitization or encoding. In this case, the Digi devices fail to adequately validate or sanitize input received through their web administration interface, allowing attackers with administrative credentials to store malicious payloads that persist in the device configuration. The vulnerability requires authentication but does not necessitate elevated privileges beyond standard administrative access, making it particularly dangerous in environments where administrative accounts may be compromised or where attackers have obtained legitimate administrative credentials through other means.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to steal session cookies, hijack administrator sessions, redirect users to malicious sites, or perform unauthorized actions within the device management interface. Attackers could potentially exfiltrate sensitive configuration data, modify device settings, or create backdoor access points that persist even after system restarts. The stored nature of this vulnerability means that once exploited, the malicious code remains embedded in the device's configuration until manually removed, providing attackers with persistent access to the affected systems. This characteristic aligns with ATT&CK technique T1059.007 for script execution and T1566 for credential harvesting through web-based attacks.
Mitigation strategies should focus on implementing proper input validation and output encoding mechanisms within the device management interfaces, ensuring that all user-controllable data is properly sanitized before being stored or rendered in web pages. Network segmentation and access controls should be implemented to limit administrative access to these devices, while multi-factor authentication should be enforced for administrative accounts. Regular security updates from Digi should be applied promptly, and administrators should conduct regular audits of device configurations to detect any unauthorized modifications. Additionally, web application firewalls and intrusion detection systems can help identify and block malicious script injection attempts, while user education about phishing and credential protection remains essential to prevent unauthorized access to administrative accounts that could exploit this vulnerability.